1. Field of the Invention
The present invention relates to a device authentication system in which a first device verifies the authenticity of a second device to which it is connected, and especially to a device authentication system in challenge-response format that uses an encryption technique.
2. Description of the Prior Art
Device authentication systems in which one device verifies the authenticity of others before commencing communication are required to prevent the illegal copying or alteration of digital information that is transmitted between a plurality of devices connected by communication paths.
As one example, a production such as a movie may be digitized, compressed, and stored as a digital production on an optical disc. This digital production is then read as an electric signal by an optical disc reproduction apparatus, decompressed by a decompression apparatus, and converted into an analog signal by an AV (Audio Video) reproduction apparatus, before being reproduced.
In the above example, the optical disc reproduction apparatus and the decompression apparatus are provided as separate devices, with data communication being performed between these devices on a digital communication path. When doing so, a third party may use a digital information recording apparatus to copy the data transmitted on the communication path without the producer's consent. The third party may then proceed to produce illegal copies of the movie production using a digital information copying apparatus, and by doing so violate the producer's copyright over the production. As a result, it is necessary to prevent the illegal copying of digital information which is transmitted on a communication path, and to prevent illegal alteration and redistribution of the digital information.
Personal computers that include optical disc reproduction apparatuses and decompression apparatuses as peripherals have become increasingly widespread, with the standard system configuration being such that these peripherals are interconnected with a computer bus as the communication path. While it is commonplace for peripheral circuitry and device specifications to remain secret from the public, the electrical characteristics and signal formats of computer buses are usually revealed to the public, making the illegal copying and alteration of digital information transmitted on such communication paths a major problem.
A variety of device authentication systems have hitherto been developed. The most representative of these are authentication systems that use encrypted communication. In such systems, the transmitter verifies the authenticity of the receiver using encrypted communication, and only proceeds to transmit the desired data to receivers that have been successfully verified, thereby preventing unauthorized devices from receiving the data. It should be noted here that since the receiver needs to lay claim to its authenticity, it is generally referred to as the "claimant", while the transmitter needs to verify the authenticity of the claimant, and so is referred to as the "verifier".
There have also been cases where content (software) suppliers and hardware manufacturers have cooperated to create predetermined standards for use by devices related to the recording and reproduction of optical discs. Here, the issue is whether devices conform to the predetermined standard. Accordingly, the "verification of authenticity" described above is performed by judging whether a device conforms to the predetermined standard.
An example of a conventional device authentication system is the authentication method taught by the ISO/IEC 9798-2 Standard (International Organization for Standardization).
This technique is based on the claimant having a secret function called an authentication function which it uses to prove its authenticity to the verifier without transmitting the authentication function itself. In this setup, the verifier selects data (called "challenge data") and sends this to the claimant. The claimant then converts the challenge data using the authentication function to obtain data (called "response data") which it transmits back to the verifier. The verifier is also provided with the authentication function, and uses it to convert the transmitted challenge data, before comparing the result with the received response data. When these match, the verifier judges that the claimant is in possession of the valid authentication function, and so verifies the authenticity of the claimant.
The authentication function f described above is a mapping of an input group to an output group. If the input is set at X, the authentication function value will be written as f(X). For this function f to be an authentication function, it is necessary for (1) f to be kept secret, and (2) such that the function value f(X) may be quickly obtained from the input value X, but that the inverse calculation of the input value X from the function value f(X) so difficult as to be practically impossible. In this specification, the authentication function provided in the verifier device (in a two-way authentication, the first device to perform verification) is called the "verification function", while the authentication function provided in the claimant device (in a two-way authentication, the first device to lay claim to its authenticity) is called the claimant function.
FIG. 1 is a block diagram showing the construction of a conventional device authentication system.
The system shown in FIG. 1 is composed of a production storage apparatus 10 and a production user apparatus 30 which are connected by a communication path 20. The production storage apparatus 10 is the verifier device, and is composed of a random number generation unit 11, a verification function unit 12, a comparison unit 13, a production transmission gate 14, a digital production 15, and a communication I/F unit 16. On the other hand, the production user apparatus 30 is the claimant device, and is composed of a claimant function unit 31, a production processing unit 32, and a communication I/F unit 33. Here, the verification function unit 12 and the claimant function unit 31 internally store the same authentication function f.
FIG. 2 is a representation of the communication sequence of this device authentication system.
FIG. 2 shows that the production storage apparatus 10 verifies the authenticity of production user apparatus 30, before transmitting the stored digital production 15 to the production user apparatus 30. The following is an explanation of the different processes in this sequence, using the step numbers (given in parenthesis) in FIG. 2`.
(1) The random number generation unit 11 of the production storage apparatus 10 generates the random number R and temporarily stores it, as well as transmitting it via the communication I/F unit 16 and the communication path 20 to the production user apparatus 30 as the challenge data CHA.
Here, CHA=R PA1 Here, RES=f(CHA) PA1 Here, RR=f(R)
(2) The claimant function unit 31 receives the challenge data CHA via the communication I/F unit 33 and generates the response data RES by inputting the challenge data CHA into the claimant function that it stores internally. The claimant function unit 31 then has the response data RES transmitted via the communication path 20 to the production storage apparatus 10.
(3) The received response data RES is inputted into the comparison unit 13 in the production storage apparatus 10. The verification function unit 12 then uses the verification function that it stores internally to calculate the reference data RR from the random number R temporarily stored in Step (1).
After this, the comparison unit 13 compares the response data RES with the reference data RR.
When the comparison results in a match, the production storage apparatus 10 judges that the claimant function of the production user apparatus 30 is the same as its verification function, and so verifies the authenticity of the production user apparatus 30, before advancing to Step (4).
On the other hand, when the comparison does not result in a match, the production storage apparatus 10 regards the production user apparatus 30 as not authentic, and terminates the processing therewith.
(4) The comparison unit 13 informs the production transmission gate 14 that the comparison has resulted in a match. The production transmission gate 14 then opens a communication gate, so that the digital production 15 is transferred to the production user apparatus 30.
(5) The transferred digital production 15 is used by the production processing unit 32 in the production user apparatus 30.
In the above procedure, if a production user apparatus that does not include the valid claimant function is connected to the communication path 20 in place of the valid production user apparatus 30, this production user apparatus will not be able to generate the correct data in Step (2). As a result, this apparatus will be judged as an invalid device in Step (3). By doing so, the copyrighted digital production will not be transmitted to unauthorized devices.
It should be noted that the above example describes the case where the production storage apparatus 10 one-way authenticates the production user apparatus 30, although it is also possible for authentication to be performed in the opposite direction (so that the production user apparatus 30 authenticates the production storage apparatus 10). By doing so, complete protection of the digital production 15 can be ensured.
However, regardless of whether one-way authentication or two-way authentication is performed by the conventional device authentication system described above, there is still the problem that a great amount of effort is necessary to maintain the safety of the system when the authentication function has been decoded by an unauthorized third party, or appears to be at risk of decoding. In general, the verification function unit 12 and the claimant function unit 31 are provided in the same LSI (Large Scale Integrated circuit), so that it is necessary to withdraw all of the devices equipped with this LSI and to replace this LSI with another LSI which stores a different authentication function.
Since the relationship between the challenge data and response data is fixed in a conventional device authentication system, should an unauthorized device be used as either a transmitter or receiver, it may obtain a large number of corresponding sets of challenge data and response data and convert it into a database, creating the problem that a third party will be able to effectively possess the authentication algorithm.